<html>
<head><meta charset="utf-8"><title>encoding crate versions in binaries · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html">encoding crate versions in binaries</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="154495983"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/154495983" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#154495983">(Jan 06 2019 at 02:03)</a>:</h4>
<p>I'm making another thread for the "encode versions of dependency crates in binaries so they can be audited" idea. So I've tried this:</p>
<div class="codehilite"><pre><span></span><span class="cp">#[used]</span><span class="w"></span>
<span class="cp">#[no_mangle]</span><span class="w"></span>
<span class="k">pub</span><span class="w"> </span><span class="k">static</span><span class="w"> </span><span class="n">ASAN_DEFAULT_OPTIONS</span>: <span class="kp">&amp;</span><span class="nb">&#39;static</span><span class="w"> </span><span class="p">[</span><span class="kt">u8</span><span class="p">]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">b&quot;SORTA_UNIQUE_PREFIX;key=val</span><span class="se">\0</span><span class="s">&quot;</span><span class="p">;</span><span class="w"></span>

<span class="k">fn</span> <span class="nf">main</span><span class="p">()</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w">    </span><span class="n">println</span><span class="o">!</span><span class="p">(</span><span class="s">&quot;Hello, world!&quot;</span><span class="p">);</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
</pre></div>


<p>And this doesn't preserve the string in the compiled binary, even in debug mode. It works if I print the string. So this gets dropped as unused at some point despite the <code>#[used]</code> annotation, which in itself only guarantees the item will persist until linking.<br>
This seems to detail additional steps required to make this work: <a href="https://github.com/rust-lang/rust/issues/47384" target="_blank" title="https://github.com/rust-lang/rust/issues/47384">https://github.com/rust-lang/rust/issues/47384</a> - but I have no clue what linker scripts are or how do I mess with them, so I'm probably insufficiently competent to dig deeper into this.</p>



<a name="154496159"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/154496159" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#154496159">(Jan 06 2019 at 02:09)</a>:</h4>
<p>It is entirely possible that I'm doing this wrong and that there is a much simpler way to put some stuff <em>somewhere</em> in the binary, like a data section.</p>



<a name="154496253"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/154496253" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#154496253">(Jan 06 2019 at 02:12)</a>:</h4>
<p>If you really wanted to optimize, I think you'd want it in a custom ELF section that the linker wouldn't even map into memory.</p>



<a name="154496255"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/154496255" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#154496255">(Jan 06 2019 at 02:12)</a>:</h4>
<p>For now I'm trying to make the compiler preserve my string in the binary, nothing more</p>



<a name="154496262"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/154496262" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#154496262">(Jan 06 2019 at 02:13)</a>:</h4>
<p>such optimizations are likely not going to be portable so I'm not tackling them just yet</p>



<a name="154496318"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/154496318" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#154496318">(Jan 06 2019 at 02:15)</a>:</h4>
<p>But yeah, good idea. Also it's 3AM here and I feel like my speech is getting less and less coherent, so I'm logging off for today.</p>



<a name="154524497"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/154524497" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#154524497">(Jan 06 2019 at 17:44)</a>:</h4>
<p>haha goodnight <span class="user-mention" data-user-id="127617">@Shnatsel</span></p>



<a name="154524501"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/154524501" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#154524501">(Jan 06 2019 at 17:44)</a>:</h4>
<p>question for when you wake up: are you also encoding the rustc version? or is there an existing way to get that?</p>



<a name="154524503"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/154524503" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#154524503">(Jan 06 2019 at 17:44)</a>:</h4>
<p>I want both of these things <span class="emoji emoji-1f603" title="smiley">:smiley:</span></p>



<a name="154524516"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/154524516" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#154524516">(Jan 06 2019 at 17:45)</a>:</h4>
<p>Yeah we should absolutely encode rustc version as well</p>



<a name="154524519"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/154524519" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#154524519">(Jan 06 2019 at 17:45)</a>:</h4>
<p>not sure what your use case is but I'd like for an endpoint agent to be able to extract information about currently deployed artifacts</p>



<a name="154524590"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/154524590" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#154524590">(Jan 06 2019 at 17:47)</a>:</h4>
<p>The only way to detect stdlib bugs is to encode stdlib version, which currently matches rustc version. So we definitely need to encode rustc version. In <a href="http://build.rs" target="_blank" title="http://build.rs">build.rs</a> we can just call <code>rustc --version</code>, we don't even need any fancy way to detect it</p>



<a name="154524591"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/154524591" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#154524591">(Jan 06 2019 at 17:47)</a>:</h4>
<p>And I have no idea what you mean by "endpoint agent"</p>



<a name="154524755"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/154524755" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#154524755">(Jan 06 2019 at 17:52)</a>:</h4>
<p><code>&gt; strings target/release/testie | grep 1.31.1
clang LLVM (rustc version 1.31.1 (b6c32da9b 2018-12-18))</code><br>
so that's already encoded</p>



<a name="154524825"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/154524825" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#154524825">(Jan 06 2019 at 17:54)</a>:</h4>
<p>it even survives LTO</p>



<a name="154524892"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/154524892" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#154524892">(Jan 06 2019 at 17:56)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> an agent that runs on production hosts and monitors deployed artifacts</p>



<a name="154992165"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/154992165" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#154992165">(Jan 12 2019 at 17:24)</a>:</h4>
<p>I have a reasonably ergonomic prototype that encodes contents of <code>Cargo.lock</code> in the binary. It requires you to add the lib as a dependency and call a no-op function from a location reachable in the code; putting it in main() is recommended. Sadly it requires nightly because of <code>test::black_box()</code>. I also have a tool recovering that info.<br>
...aaand now we will wait for like a week until I get an approval to release this from Google.</p>



<a name="155283223"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/155283223" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#155283223">(Jan 16 2019 at 20:03)</a>:</h4>
<p>I've applied for open-sourcing of my prototype, so now we wait. Two weeks or so, since I'm also asking for copyright assignment to myself so that contributors would not be required to sign a CLA. I'll probably hack on it a bit more in the meanwhile.</p>



<a name="157942148"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/157942148" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#157942148">(Feb 09 2019 at 19:21)</a>:</h4>
<p>3 weeks later I am cleared to release my 60-LoC prototype, so you will be seeing it go up in the next few days.</p>



<a name="159813035"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/159813035" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#159813035">(Mar 02 2019 at 20:19)</a>:</h4>
<p>At long last I have released my proof-of-concept implementation of embedding <code>Cargo.lock</code>into compiled binaries and recovering it: <a href="https://www.reddit.com/r/rust/comments/awlqfi/" target="_blank" title="https://www.reddit.com/r/rust/comments/awlqfi/">https://www.reddit.com/r/rust/comments/awlqfi/</a></p>



<a name="160720662"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/160720662" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#160720662">(Mar 13 2019 at 19:37)</a>:</h4>
<p>It's been over a week but I will take a look at it!</p>



<a name="160722390"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/160722390" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#160722390">(Mar 13 2019 at 20:01)</a>:</h4>
<p>I read the all the Reddit posts and it seems like a cool job you did! </p>
<p>I think the project is mainly targeting organizations (or people) that are actually running the binaries in production and want to know whether their binary contains any (potential) vulnerabilities or not right?</p>
<p>When scanning for vulnerabilities on published crates we can just look at the Cargo.toml file that contains the dependencies right?</p>
<p>I think it would be great if we can somehow include this into Cargo. The question is how we can do it in a stable way that is maybe independent of the specific platform it is compiled for. Another question is whether it would be a good thing to add the dependencies by default, or let people enable the flag themselves? At one point you can say: The amount of bytes included is very small, on the other hand: Organizations that want to monitor their binaries probably will do that as a clear choice. If they actually never monitored their binaries for vulnerabilities and suddenly want to do so, they can always recompile and redeploy their application with these flags enabled.</p>



<a name="160722882"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/160722882" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#160722882">(Mar 13 2019 at 20:08)</a>:</h4>
<blockquote>
<p>I think the project is mainly targeting organizations (or people) that are actually running the binaries in production and want to know whether their binary contains any (potential) vulnerabilities or not right?</p>
</blockquote>
<p>Yep.<br>
I actually want to enable this unconditionally, except for embedded platforms and WASM, and maybe allow <code>strip</code> to remove it. I think "secure by default" is worth a couple of kb in binary size.<br>
As for portability, <code>goblin</code> can parse ELF, PE and Mach-O, so we'll have a native Rust tool for recovering this info easily. It might be worth including some start/stop markers just in case to make recovering this info dead simple from any language.</p>



<a name="160735505"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/160735505" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#160735505">(Mar 13 2019 at 23:02)</a>:</h4>
<p>That sounds good in my opinion! Especially if it's only in the executable / object file and not present during run-time (the program does not use those after all). We should probably create an issue at Cargo for this? Or is it already present?</p>



<a name="160737960"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/160737960" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#160737960">(Mar 13 2019 at 23:48)</a>:</h4>
<p>Yeah I need to write an RFC</p>



<a name="160794485"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/160794485" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#160794485">(Mar 14 2019 at 15:55)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> I have been meaning to implement your STDIN request for processing Cargo.lock files with <code>cargo audit</code>. I totally want to use this <span aria-label="wink" class="emoji emoji-1f609" role="img" title="wink">:wink:</span></p>



<a name="160794492"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/encoding%20crate%20versions%20in%20binaries/near/160794492" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/encoding.20crate.20versions.20in.20binaries.html#160794492">(Mar 14 2019 at 15:55)</a>:</h4>
<p>especially with the binaries we are shipping to now-production</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>